CVE-2026-2743

Root

Cause

The Large File Transfer (LFT) component in SeppMail's User Web Interface suffers from a path traversal vulnerability during file upload. The application fails to properly sanitize user-supplied filenames, enabling an attacker to write arbitrary files to the filesystem. Specifically, the configuration file /etc/syslog.conf can be overwritten with malicious content, which is then executed by the syslog daemon, leading to remote code execution [2].

Exploitation

An attacker must first obtain an authenticated session. However, SeppMail enables self-registration by default, making it trivial to create a legitimate user account without any prior authorization. Once authenticated, the attacker can upload a crafted file via the LFT endpoint, using path traversal sequences (e.g., ../etc/syslog.conf) to target the syslog configuration. The uploaded file contains shell commands that are executed when syslog processes logs, resulting in command execution with root privileges [2].

Impact

Successful exploitation grants the attacker full remote code execution on the SeppMail gateway as root. This allows complete compromise of the appliance, including access to all emails, user data, and network communications. The vulnerability affects SeppMail versions 15.0.2.1 and earlier [2].

Mitigation

The issue has been addressed in SeppMail version 15.0.4. Users are strongly advised to upgrade to the latest release to mitigate the risk. No workaround is currently available [2].